Made in the Czech Republic: a PHP Autorun worm

Recently, a new data-stealing worm caught our attention. The reason why it stands out from many similar amateur creations is that its author is most probably Czech, as the text strings, variable and function names used by the malware suggest.

The Czech text above is displayed by the worm inside a console window and translates to: “Initializing. This operation can take several minutes. Please wait…”, pretending to be a message from Microsoft.

But wait, variable and function names used by the programmer? Those aren’t normally seen in a compiled binary unless we have the associated PDB file (Program DataBase: a file format commonly created at compile-time that may list symbols that aren’t stored in the compiled module itself). But in this case, the worm is written entirely in PHP and “converted” to a PE file using the Bambalam PHP EXE Compiler/Embedder. This embedder simply encodes the PHP source files using Turck MMCache and then adds the resulting PHP bytecode as resources in a launcher binary. By decoding these, we were able to get a fairly accurate view of the original source code.

So let’s take a look at what the malware actually does…

Installation and Spread

Firstly, we classify it as a worm, as it contains methods for spreading itself. In order to replicate through removable media and modify the infected system to ensure persistence, i.e. that it gets relaunched subsequently, the worm copies its body to the following locations:

The root directory of all mounted volumes, except A: and B:. If the drive size is less than ~32GB, the autorun.inf file is also dropped in the hope of exploiting the (at last!) deprecated AutoRun feature of Windows.

The Documents, Desktop, Start Menu, Start MenuPrograms and Start MenuProgramsStartup folders for each user on the system and to the All Users Start MenuPrograms folder. Note that the worm can only copy itself to folders belonging to other users if the worm is run by an administrator account. Also, due to the change of folder naming from Windows Vista onwards, the worm is only able to copy itself to some of the listed folders on earlier Windows systems (such as XP) if it’s a Czech version of the OS.

For each of the above mentioned locations, the worm randomly chooses one of the following innocuous-looking file names:

setup.exe

install.exe

fotky.exe

majkl_dzeksn.exe

barunka.exe

martinka.exe

Harvesting data

The purpose of the worm is to collect a large set of sensitive user data and system information, including:

Messages and other information from various IM clients (such as QIP, ICQ, Digsby)

Saved passwords and other information from various browsers (such as IE, Mozilla Firefox, Opera, Chrome)

Emails and other information from various email clients (such as Outlook, Outlook Express, Mozilla Thunderbird)

Total Commander FTP passwords

Stored Windows credentials

Windows Address Book contacts

Windows User account properties (excluding password)

Network addresses, open connections, tables and statistics

List of running processes and services

Environment variables

List of all user files and directories

List of recently opened documents

Contents of the Registry

MS Windows and MS Office Product Keys

The list of types of data that the worm harvests from the infected machine is quite long, and they are all gathered using various unsophisticated methods. In order to collect most of the data associated with Instant Messaging applications, browsers, and so on, the worm simply uploads all the files from the installation folders of the respective applications. For information related to Windows user accounts, network connections, running processes, and the Windows Registry, the following shell commands are used:

net user

ipconfig

netstat

arp

tasklist

regedit

Another method employed for collecting the victim’s data is the use of third-party password-extraction utilities by NirSoft. The worm’s binary drops and executes four of these tools and sends their output back to the attacker.

The worm uses a simple mechanism for sending the collected data to the remote server. It sends many HTTP POST requests (port 80) containing the stolen data gz-compressed and Base64 encoded.

As you can see from the description above, the worm lacks the sophistication of some of the more advanced malware that we sometimes see. Yet, unfortunately, even these simple threats often get the job done.

Given the very low prevalence of this malware, the fact that at the time of this writing 100% of the detections came from the Czech Republic, and its apparent Czech origin, there is a possibility that this tool was used in a targeted attack on a specific victim. Or it may just have been an experiment by an amateur malware-writer. Or both.

ESET detects this worm as Win32/AutoRun.PSW.Agent.E. The malware analysis was done by Jakub Horký.